Closed Bug 394239 Opened 18 years ago Closed 18 years ago

Crash [@ nsIFrame::Invalidate] with object, positioning and bidi character

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smontagu)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

testcase
321 bytes, text/html
Details
Frame dump and some debugging output
15.74 KB, text/plain
Details
Patch
1.28 KB, patch
roc
: review+
roc
: superreview+
roc
: approval1.9+
Details | Diff | Splinter Review
Attached file testcase
See testcase, when hovering over the text input, I crash with current trunk build. This seems to have regressed since yesterday: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-08-28+04&maxdate=2007-08-29+09&cvsroot=%2Fcvsroot Regression from bug 384527, somehow? http://crash-stats.mozilla.com/report/index/ec77cc47-567a-11dc-9fb9-001a4bd43ef6 0 nsIFrame::Invalidate(nsRect const&, int) mozilla/layout/generic/nsFrame.cpp:3536 1 nsFrameManager::RemoveFrame(nsIFrame*, nsIAtom*, nsIFrame*) mozilla/layout/base/nsFrameManager.cpp:688 2 DeletingFrameSubtree mozilla/layout/base/nsCSSFrameConstructor.cpp:9338 3 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) mozilla/layout/base/nsCSSFrameConstructor.cpp:9490 4 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) mozilla/layout/base/nsCSSFrameConstructor.cpp:11074 5 nsCSSFrameConstructor::RestyleElement(nsIContent*, nsIFrame*, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:9939 6 nsCSSFrameConstructor::ProcessOneRestyle(nsIContent*, nsReStyleHint, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:12962 7 nsCSSFrameConstructor::ProcessPendingRestyles() mozilla/layout/base/nsCSSFrameConstructor.cpp:13015 8 nsCSSFrameConstructor::RestyleEvent::Run() mozilla/layout/base/nsCSSFrameConstructor.cpp:13086 9 nsThread::ProcessNextEvent(int, int*) mozilla/xpcom/threads/nsThread.cpp:490 10 NS_ProcessNextEvent_P(nsIThread*, int) nsThreadUtils.cpp:227 11 nsBaseAppShell::Run() mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:154 12 nsAppStartup::Run() mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170 13 XRE_main mozilla/toolkit/xre/nsAppRunner.cpp:3069 14 main mozilla/browser/app/nsBrowserApp.cpp:153 15 WinMain mozilla/browser/app/nsBrowserApp.cpp:166 16 __tmainCRTStartup crtexe.c:589
I can reproduce the crash but with a rather different stack: #6 0xb5cb91d2 in nsCachedStyleData::GetStyleDisplay (this=0xddddddf9) at nsStyleStructList.h:95 #7 0xb5cbc7ae in nsStyleContext::GetStyleDisplay (this=0xdddddddd) at nsStyleStructList.h:95 #8 0xb5acfbad in nsIFrame::GetStyleDisplay (this=0x8d5e914) at nsStyleStructList.h:95 #9 0xb5ab15e5 in GetChildListNameFor (aChildFrame=0x8d5e914) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:1719 #10 0xb5ab350e in DeletingFrameSubtree (aFrameManager=0x8e09b7c, aFrame=0x0) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:9338 #11 0xb5accdab in nsCSSFrameConstructor::ContentRemoved (this=0x8df17c0, aContainer=0x8e63c00, aChild=0x8dca1c8, aIndexInContainer=1, aInReinsertContent=0) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructo r.cpp:9490 #12 0xb5acaa17 in nsCSSFrameConstructor::RecreateFramesForContent ( this=0x8df17c0, aContent=0x8dca1c8) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:11074 #13 0xb5acb0a8 in nsCSSFrameConstructor::RestyleElement (this=0x8df17c0, aContent=0x8dca1c8, aPrimaryFrame=0x8d13cb8, aMinHint=0) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:9939 #14 0xb5acb2d3 in nsCSSFrameConstructor::ProcessOneRestyle (this=0x8df17c0, aContent=0x8dca1c8, aRestyleHint=eReStyle_Self, aChangeHint=0) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:12962 #15 0xb5acb4f9 in nsCSSFrameConstructor::ProcessPendingRestyles ( this=0x8df17c0) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:13015 #16 0xb5acb65e in nsCSSFrameConstructor::RestyleEvent::Run (this=0x8cf5020) at /home/smontagu/mozwork/debugtree/mozilla/layout/base/nsCSSFrameConstructor.cpp:13086
Reverting the patch from bug 384527 doesn't fix this.
Sorry, comment 2 is wrong: this is indeed a regression from bug 384527
Assignee: nobody → smontagu
Attached patch PatchSplinter Review
I don't really know why this prevents the crash, but it does, and it seems more correct than the original patch to bug 384527 anyway.
Attachment #279430 - Flags: superreview?(roc)
Attachment #279430 - Flags: review?(roc)
Attachment #279430 - Flags: superreview?(roc)
Attachment #279430 - Flags: superreview+
Attachment #279430 - Flags: review?(roc)
Attachment #279430 - Flags: review+
Attachment #279430 - Flags: approval1.9+
Checked in
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007090504 Minefield/3.0a8pre
Status: RESOLVED → VERIFIED
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsIFrame::Invalidate]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: